If you have a site that uses "vary:" headers such as "vary: cookie" to
distinguish between the cacheability of pages for cookied and non-cookied users
this header will get overwritten if you enable gzip negotiation in tomcats
server.xml config.
If gzip negotiation is enabled it should modify the vary header *not* overwrite it.
This is quite bad as enabling gzip in the config can currently cause incorrect
files to get cached in browsers/proxies. By the time a developer realises that
the gzip functionality is broken in this way, various caches will hold the wrong
content possibly for long periods of time even once gzip is turned off again.
I suggest putting a warning in the server.xml against using gzip negotiation if
you are already using vary headers until this bug gets fixed.

Created attachment 18424[details]
A patch that fixes the overwriting vary header bug
This change checks for existing Vary headers and will add to any existing
values in the Vary header. If there is no existing Vary header then it will add
a new one as before.

(In reply to comment #2)
> Good catch: thanks for reporting this.
Ohh it was a nice xmas present that someone picked this up :)
Please note that the patch only patched
Http11AprProcessor.java
The other HttpProcessor.java needs fixing too. I'm not sure what the difference
is between these files but they both have the same Vary bug.

This is ASF Bugzilla: the Apache Software Foundation bug system. In case
of problems with the functioning of ASF Bugzilla, please contact
bugzilla-admin@apache.org.
Please Note: this e-mail address is only for reporting problems
with ASF Bugzilla. Mail about any other subject will be silently
ignored.